DOCSLIB.ORG

Hands-On Laboratory on Web Content Injection Attacks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

TALLINN UNIVERSITY OF TECHNOLOGY Faculty of Information Technology Department of Computer Science TUT Centre for Digital Forensics and Cyber Security Hands-on laboratory on web content injection attacks Master’s thesis ITC70LT Anti Räis 121973IVCMM Supervisors Elar Lang, MSc Rain Ottis, PhD Tallinn 2015 Declaration I declare that this thesis is the result of my own research except as cited in the refer- ences. The thesis has not been accepted for any degree and is not concurrently submitted in candidature of any other degree. Anti Räis May 22, 2015 ........................ (Signature) Abstract This thesis focuses on explaining web application injection attacks in a practical hands-on laboratory. It is an improvement on Lang’s [1] master’s thesis about web appli- cation security. One of the main contributions of this thesis is gathering and structuring information about Cross Site Scripting (XSS) attacks and defenses and then presenting them in a practical learning environment. This is done to better explain the nuances and details that are involved in attacks against web applications. A thorough and clear under- standing of how these attacks work is the foundation for defense. The thesis is in English and contains 95 pages of text, 6 chapters, 4 figures, 27 tables. Annotatsioon Magistritöö eesmärk on selgitada kuidas töötavad erinevad kaitsemeetmed veebi- rakenduste rünnete vastu. Töö täiendab osaliselt Langi [1] magistritööd veebirakenduse rünnete kohta. Põhiline panus antud töös on koguda, täiendada ja struktureerida teavet XSS rünnete kohta ning luua õppelabor, kus on võimalik antud teadmisi praktikas rak- endada. See aitab kinnistada ja paremini mõista teemat. Selge ning täpne arusaamine, kuidas ründed toimuvad, on korrektse kaitse aluseks. Lõputöö on kirjutatud Inglise keeles ning sisaldab teksti 95 leheküljel, 6 peatükki, 4 joonist, 27 tabelit. Contents 1 Introduction 1 1.1 Problem statement and contribution of the thesis . .3 1.2 Implied expectations from the reader . .4 1.3 Outline of the thesis . .4 1.4 Ethical considerations . .4 1.5 Acknowledgments . .5 2 The essence of XSS 6 2.1 Ambiguity of XSS . .6 2.2 Definition of XSS . .7 2.3 Parsing a HTML document . .7 2.3.1 Parsing order . .8 2.3.2 Escape and encoding sequences . 10 2.3.3 Decoding order . 14 2.3.4 Notes about implementation . 16 2.4 Web content injection attacks . 18 2.4.1 HTML tag . 18 2.4.2 HTML attributes . 19 2.4.3 HTML comments . 21 2.4.4 URL as attribute value . 22 v 2.4.5 CSS . 24 2.4.6 Script tag and event handlers . 27 2.4.7 Overview of context specific characters . 29 2.5 XSS classification . 29 2.5.1 Reflected XSS . 30 2.5.2 Stored XSS . 31 2.5.3 DOM XSS . 32 2.5.4 Mutation XSS . 33 2.5.5 XSS in browser extensions . 34 2.5.6 Universal XSS . 35 3 XSS mitigation solutions 36 3.1 Defenses in the application . 36 3.1.1 Input sanitization . 36 3.1.2 Blacklisting . 37 3.1.3 “Stripping and replacing” . 37 3.1.4 Escaping . 37 3.1.5 Encoding . 38 3.1.6 Code rewriting . 38 3.2 Defenses on the server . 39 3.2.1 WAF . 39 3.2.2 Content Security Policy . 39 3.2.3 Response headers . 40 3.3 Defenses on the client-side . 43 3.3.1 SOP . 43 3.3.2 Internet Explorer’s XSS Auditor . 45 vi 3.3.3 Webkit’s XSS Auditor . 46 3.3.4 NoScript . 46 3.3.5 Shortcomings of XSS filter . 46 4 Defenses in different languages 48 4.1 ASP.NET . 48 4.2 JavaScript . 49 4.3 Java ..................................... 53 4.4 PHP . 56 4.5 Python . 58 4.6 Ruby . 59 5 Hands on laboratory 61 5.1 The purpose and expected result . 61 5.2 How to construct and conduct the training . 61 5.3 Laboratory . 62 5.3.1 Implementation . 63 5.4 Example exercise walk-through . 64 5.4.1 User input between HTML tags . 65 5.4.2 User input in JavaScript context . 65 5.4.3 User input in HTML element and URL contexts . 68 5.5 Constraints . 69 6 Conclusion 70 References 72 Code examples 81 vii List of Figures 84 List of Tables 85 List of acronyms 87 A Appendixes 89 A.1 Browser tolerance in accepting various characters . 89 viii 1. Introduction The trend in the software industry has been to make more and more services avail- able over the Internet. The web page is used as an administrative interface for services like electronic mail and e-commerce applications. Banks have long built their basic ser- vices to be used over the Internet and require only the crucial activities to be done in person [2]. In 2001 Estonia introduced X-Road [3], which provides the backbone for all the different services in use. Web site eesti.ee is one example, where the citizens can use different state related services and query information about themselves. These have become integral part of our everyday lives for large part of population. The author’s experience is, that developing a web service, just like any other soft- ware development project, can be a difficult task. The number of software dependencies increases as the project grows and evolves, e.g. addition software libraries are introduced to the system. This, in turn, makes it more complicated to manage and guarantee the correctness of the code [4]. The requirements change, meaning that a part of the sys- tem has to be written from scratch without breaking any other logic. There are also time constraints, that will force the developer to move to a next task as soon the previous func- tionality is working. All members of the team have to synchronize their work and agree on future tasks. This leads to inconsistencies and bugs since a single developer does not have the capability to handle all the dependencies correctly in a complex code base. All of those factors make it difficult to properly manage the development. In addition, developers make mistakes that lead to security issues. It takes years to learn and master the best practices of software development and apply them properly. In the meantime, the inexperienced developer continues to make the same mistakes and the overall security does not improve. Therefore, it is wise to use tools and frameworks, where several security related issues are resolved. Unfortunately, even using a well known and tested frameworks or languages does not guarantee a secure application [5–7]. Developing web services is a double edged sword - they provide the ease of access to 1 the information, but at the same time open the door to the malicious use. In 2013 a team of researches disclosed a vulnerability report about SOHO routers. They found that a Netgear WNDR4700 router could be exploited through a particular page that when visited by any user, authenticated or not, causes the router to no longer require a password to access the web administrative page [8]. Once activated, the all administrative functionality is visible to any user without credentials. Furthermore, once this vulnerability is exploited, it will persist through router reboots and is only removed through a factory reset. An attacker might only need one vulnerability, but the developer has to find them all. For example, after the Heartbleed vulnerability [9] was disclosed, researchers found additional issues with the code [10, 11]. The Open Web Application Security Project (OWASP) provides a TOP10 list of most prevalent issues regarding the software development [12]. We can see, that the top three issues have been the same compared to the previous report 1, which was published in 2010. Among them we can see a XSS vulnerability. In 2007 it was ranked as the topmost issue 2 and in 2004 it held a fourth position 3. Common Weakness Enumeration (CWE), which is published by the SANS institute, ranks XSS as fourth out of 25 most serious security vulnerabilities [13], supporting the fact that XSS is a serious problem. The OWASP provides resources for developers to read and study on that matter, however the XSS vulnerability has proven to be persistent in web applications. Defenses against XSS attacks has been studied before. Numerous researchers have proposed different solutions, e.g. defensive coding practices [14, 15], run-time monitoring solutions [16], XSS vulnerability testers and scanners both for run-time and for static code analysis. The secure coding practices provide the foundation of secure software, but it is prone to security issues because of human errors. Updated information about the latest XSS attack and defense vectors is fragmented. Keeping up and testing the latest bypasses requires additional time from developers. In addition, applying a defense must be done properly or the defense is inadequate. This is the problem that this thesis will address. 1https://www.owasp.org/index.php/OWASP_Top_10#OWASP_Top_10_for_2010 2https://www.owasp.org/index.php/Top_10_2007 3https://www.owasp.org/index.php/Top_10_2004 2 1.1 Problem statement and contribution of the thesis In 2012, Lang [1] created a web application security course to raise awareness about numerous security issues and to give a practical knowledge about different attack vectors. It consists of four days of theoretical attack scenarios together with practical hands-on laboratories. It focuses on applying the theoretical attack vectors in practice and from there, demonstrate how these could be mitigated. This ensures, that the participant has the necessary knowledge about how to apply various defenses and how they could be bypassed. One part of it is covering different web application injections attacks, discussed in the following chapters. Many participants have expressed their wish for more in depth explanation how to properly defend against it.
Recommended publications
  • Vbscript Programmer's Reference

    Vbscript Programmer's Reference

    Table of Contents VBScript Programmer's Reference...................................................................................................................1 Introduction.........................................................................................................................................................6 Who is this Book For?............................................................................................................................6 How to Use this Book.............................................................................................................................6 What is VBScript?..................................................................................................................................7 What Can You Do With VBScript?......................................................................................................11 What Tools Do You Need to Use VBScript?.......................................................................................14 What's New in VBScript 5?..................................................................................................................15 Code Conventions.................................................................................................................................17 Tell Us What You Think.......................................................................................................................17 Customer Support.................................................................................................................................18
  • Xcentrisity® BIS Addpack for Visual COBOL

    Xcentrisity® BIS Addpack for Visual COBOL

    Xcentrisity® BIS AddPack for Visual COBOL User's Guide Micro Focus The Lawn 22-30 Old Bath Road Newbury, Berkshire RG14 1QN UK http://www.microfocus.com © Copyright 2009-2020 Micro Focus or one of its affiliates. MICRO FOCUS, the Micro Focus logo and Visual COBOL are trademarks or registered trademarks of Micro Focus or one of its affiliates. All other marks are the property of their respective owners. 2020-06-17 ii Contents Xcentrisity Business Information Server for Visual COBOL User's Guide ............................................................................................................................. 5 Copyright and Trademarks .................................................................................................. 5 Introducing the Business Information Server ...................................................................... 5 Overview .................................................................................................................. 6 Installation on Windows ............................................................................................7 Installation on UNIX ..................................................................................................9 Testing the Installation ............................................................................................11 Uninstalling BIS for IIS ........................................................................................... 11 Uninstalling BIS for Apache ....................................................................................12
  • HTTP Cookie - Wikipedia, the Free Encyclopedia 14/05/2014

    HTTP Cookie - Wikipedia, the Free Encyclopedia 14/05/2014

    HTTP cookie - Wikipedia, the free encyclopedia 14/05/2014 Create account Log in Article Talk Read Edit View history Search HTTP cookie From Wikipedia, the free encyclopedia Navigation A cookie, also known as an HTTP cookie, web cookie, or browser HTTP Main page cookie, is a small piece of data sent from a website and stored in a Persistence · Compression · HTTPS · Contents user's web browser while the user is browsing that website. Every time Request methods Featured content the user loads the website, the browser sends the cookie back to the OPTIONS · GET · HEAD · POST · PUT · Current events server to notify the website of the user's previous activity.[1] Cookies DELETE · TRACE · CONNECT · PATCH · Random article Donate to Wikipedia were designed to be a reliable mechanism for websites to remember Header fields Wikimedia Shop stateful information (such as items in a shopping cart) or to record the Cookie · ETag · Location · HTTP referer · DNT user's browsing activity (including clicking particular buttons, logging in, · X-Forwarded-For · Interaction or recording which pages were visited by the user as far back as months Status codes or years ago). 301 Moved Permanently · 302 Found · Help 303 See Other · 403 Forbidden · About Wikipedia Although cookies cannot carry viruses, and cannot install malware on 404 Not Found · [2] Community portal the host computer, tracking cookies and especially third-party v · t · e · Recent changes tracking cookies are commonly used as ways to compile long-term Contact page records of individuals' browsing histories—a potential privacy concern that prompted European[3] and U.S.
  • Aspects of AJAX

    Aspects of AJAX

    Aspects of AJAX Aspects of AJAX Published online at http://www.mathertel.de/AJAX/AJAXeBook.aspx By Matthias Hertel, 2005•2007 Version 1.2 published 1. May 2007 1 Aspects of AJAX About this book This book is about an AJAX Framework and an AJAX Engine for JavaScript, XML, SOAP, WSDL und ASP.NET using standard Web Services on the server. This book is containing the updated articles and samples from my Blog "Aspects of AJAX", available at http://ajaxaspects.blogspot.com/ together with some new and rewritten articles. The implementation of the Samples, the AJAX Engine and a lot of web controls can be found on http://www.mathertel.de/AJAXEngine/. The License This book and all the articles on my blog are licensed under a Creative Commons Attribution 2.0 License that can be found at http://creativecommons.org/licenses/by/2.0/de/. The software itself is licensed under a BSD style license that can be found at http://www.mathertel.de/License.aspx. State of this book This book is still not finished and will be updated and extended from time to time. You will find more information when reading the Blog or downloading a new copy of this book. There are still a lot of aspects undocumented or undiscovered. State of the Software The AJAX engine is working fine in many projects I do myself and I’ve heard about and you can use it where ever you want. The license model I’ve chosen to publish the information and the source code allows also a commercial use of it.
  • A Novel Approach of MIME Sniffing Using

    A Novel Approach of MIME Sniffing Using

    ISSN: 2277-3754 ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 4, Issue 11, May 2015 A Novel Approach of MIME Sniffing using AES Ankita Singh, Amit Saxena, Dr.Manish Manoria TRUBA Institute of Engineering and Information Technology (TIEIT), Bhopal (M.P) We discuss some web application attacks which can be Abstract— In today’s scenario communication is rely on possible over browser also discuss security concern can be web, users can access these information from web with the use applied in future for security on web application of browsers, as the usage of web increases the security of data is required. If browser renders malicious html contents or environment. JavaScript code block, the content sniffing attack may occur. The contents are divided in different sections. In section In this paper we provide a framework with AES algorithm to 2 we mention different types of attacks. Related work is secure the content sniffing for the web browsers with text, discussed in section 3. Proposed work is discussed in image and PDF files. In this work the data files having section 4. Result analysis in section 5. Conclusion and encryption then partition in multiple parts for reducing the future direction in Section 6, and then references are duration of file transmission and transferring with parity bit checking to identify the attack. mention. II. ATTACKS Index Terms— Cross-Site Scripting, Web Application We discuss about some attacks, associated with this Security, Content Sniffing, MIME, AES. work. ClickJacking[11] - The purpose of this attack is to open I.
  • Market-Driven Framework for Guiding Optimisation Decisions in Embedded Systems Master of Science Thesis in the Software Engineering Programme

    Market-Driven Framework for Guiding Optimisation Decisions in Embedded Systems Master of Science Thesis in the Software Engineering Programme

    Market-Driven Framework for Guiding Optimisation Decisions in Embedded Systems Master of Science Thesis in the Software Engineering Programme Sofia Charalampidou Paschalis Tsolakidis Chalmers University of Technology University of Gothenburg Department of Computer Science and Engineering Göteborg, Sweden, August 2013 The Author grants to Chalmers University of Technology and University of Gothenburg the non- exclusive right to publish the Work electronically and in a non-commercial purpose make it accessible on the Internet. The Author warrants that he/she is the author to the Work, and warrants that the Work does not contain text, pictures or other material that violates copyright law. The Author shall, when transferring the rights of the Work to a third party (for example a publisher or a company), acknowledge the third party about this agreement. If the Author has signed a copyright agreement with a third party regarding the Work, the Author warrants hereby that he/she has obtained any necessary permission from this third party to let Chalmers University of Technology and University of Gothenburg store the Work electronically and make it accessible on the Internet. Market-Driven Framework for Guiding Optimisation Decisions in Embedded Systems Sofia Charalampidou, Paschalis Tsolakidis © Sofia Charalampidou, August 2013. © Paschalis Tsolakidis, August 2013. Examiner: Richard Torkar Supervisors: Christian Berger (Chalmers), Tobjörn Mattsson (Mecel AB) Chalmers University of Technology University of Gothenburg Department of Computer Science and Engineering SE-412 96 Göteborg Sweden Telephone + 46 (0)31-772 1000 Department of Computer Science and Engineering Göteborg, Sweden August 2013 Market Driven Framework for Guiding Optimisation Decisions in Embedded Systems CHALMERS UNIVERSITY OF TECHNOLOGY Department of Computer Science and Engineering Abstract The recent need for web connectivity in the embedded systems domain and in particular the In-Vehicle Infotainment (IVI), has fired discussions about the integration of HTML components in these systems.
  • Technologies for Connecting and Using Databases and Server Applications on the World Wide Web

    Technologies for Connecting and Using Databases and Server Applications on the World Wide Web

    Technologies for Connecting and Using Databases and Server Applications on the World Wide Web by Adolfo G. Castellon Jr. Submitted to the Department of Electrical Engineering and Computer Science on May 23, 1997, in partial fulfillment of the requirements for the degree of Bachelor of Science in Computer Science Abstract This paper presents a study of current technologies used to build applications that make use of the World Wide Web. In particular, this paper discusses three different technologies (Java Beans, OLE/ActiveX and CORBA) born of very different heritage, that are evolving towards a common goal. The emphasis is on technologies that have been recently developed to connect databases to Web applications. Two applications created by the author are used to demonstrate specific types of emerging web technologies. Thesis Supervisor: Dr. Amar Gupta Title: Co-Director, Productivity from Information Technology (PROFIT) Initiative Table of Contents 1 Introduction..............................................................................................................................................................3 1.1 Overview...................................................................................................................................................... ..................................................................................................................................................................3 1.2 Conventions: How to Read This Document.........................................................................................
  • Vbscript Programmer’S Reference Third Edition

    Vbscript Programmer’S Reference Third Edition

    VBScript Programmer’s Reference Third Edition Adrian Kingsley-Hughes Kathie Kingsley-Hughes Daniel Read Wiley Publishing, Inc. ffirs.indd iii 8/28/07 9:41:21 AM ffirs.indd vi 8/28/07 9:41:22 AM VBScript Programmer’s Reference Third Edition Introduction . xxv Chapter 1: A Quick Introduction to Programming . 1 Chapter 2: What VBScript Is — and Isn’t! . 31 Chapter 3: Data Types . 45 Chapter 4: Variables and Procedures . 83 Chapter 5: Control of Flow . 109 Chapter 6: Error Handling and Debugging . 129 Chapter 7: The Scripting Runtime Objects . 183 Chapter 8: Classes in VBScript (Writing Your Own COM Objects) . 209 Chapter 9: Regular Expressions . 233 Chapter 10: Client-Side Web Scripting . 261 Chapter 11: Windows Sidebars and Gadgets . 287 Chapter 12: Task Scheduler Scripting . 309 Chapter 13: PowerShell . 345 Chapter 14: Super-Charged Client-Side Scripting . 375 Chapter 15: Windows Script Host . 405 Chapter 16: Windows Script Components . 465 Chapter 17: Script Encoding . 489 Chapter 18: Remote Scripting . 509 Chapter 19: HTML Applications . 517 Chapter 20: Server-Side Web Scripting . 535 Chapter 21: Adding VBScript to Your VB and .NET Applications . 569 (Continued) ffirs.indd i 8/28/07 9:41:21 AM Appendix A: VBScript Functions and Keywords . 603 Appendix B: Variable Naming Convention . 675 Appendix C: Coding Conventions . 677 Appendix D: Visual Basic Constants Supported in VBScript . 681 Appendix E: VBScript Error Codes and the Err Object . 687 Appendix F: The Scripting Runtime Library Object Reference . 703 Appendix G: The Windows Script Host Object Model . 715 Appendix H: Regular Expressions . 723 Appendix I: The Variant Subtypes .
  • All Your Iframes Point to Us

    All Your Iframes Point to Us

    All Your iFRAMEs Point to Us Niels Provos Panayiotis Mavrommatis Moheeb Abu Rajab Fabian Monrose Google Inc. Johns Hopkins University {niels, panayiotis}@google.com {moheeb, fabian}@cs.jhu.edu Abstract tacks are being replaced by other mechanisms. Chief As the web continues to play an ever increasing role among these is the exploitation of the web, and the ser- in information exchange, so too is it becoming the pre- vices built upon it, to distribute malware. vailing platform for infecting vulnerable hosts. In this This change in the playing field is particularly alarm- paper, we provide a detailed study of the pervasiveness ing, because unlike traditional scanning attacks that use of so-called drive-by downloads on the Internet. Drive- push-based infection to increase their population, web- by downloads are caused by URLs that attempt to exploit based malware infection follows a pull-based model. For their visitors and cause malware to be installed and run the most part, the techniques in use today for deliver- automatically. Over a period of 10 months we processed ing web-malware can be divided into two main cate- billions of URLs, and our results shows that a non-trivial gories. In the first case, attackers use various social en- amount, of over 3 million malicious URLs, initiate drive- gineering techniques to entice the visitors of a website by downloads. An even more troubling finding is that to download and run malware. The second, more de- approximately 1.3% of the incoming search queries to vious case, involves the underhanded tactic of targeting Google’s search engine returned at least one URL labeled various browser vulnerabilities to automatically down- as malicious in the results page.
  • Der Security-Leitfaden Für Webentwickler

    Der Security-Leitfaden Für Webentwickler

    Tangled Web - Der Security-Leitfaden für Webentwickler Deutsche Ausgabe – Aktualisiert und erweitert von Mario Heiderich von Michal Zalewski, Mario Heiderich 1. Auflage Tangled Web - Der Security-Leitfaden für Webentwickler – Zalewski / Heiderich schnell und portofrei erhältlich bei beck-shop.de DIE FACHBUCHHANDLUNG Thematische Gliederung: Netzwerksicherheit – Netzwerksicherheit dpunkt.verlag 2012 Verlag C.H. Beck im Internet: www.beck.de ISBN 978 3 86490 002 0 Inhaltsverzeichnis: Tangled Web - Der Security-Leitfaden für Webentwickler – Zalewski / Heiderich 245 13 Mechanismen zur Inhaltserkennung Bis jetzt haben wir einige gutgemeinte Browsermerkmale betrachtet, die sich im Laufe der Entwicklung der Technologie als kurzsichtig und geradezu gefährlich erwiesen haben. In der Geschichte des Web hat sich jedoch nichts als so fehlgelei- tet herausgestellt wie das sogenannte Content-Sniffing. Ursprünglich lag dem Content-Sniffing folgende simple Annahme zugrunde: Browseranbieter gingen davon aus, dass es in manchen Fällen angemessen – und sogar wünschenswert – sei, die normalerweise vom Server stammenden verbind- lichen Metadaten eines geladenen Dokuments zu ignorieren, so etwa den Header Content-Type. Anstatt die erklärte Absicht des Entwicklers zu akzeptieren, versu- chen viele existierende Browser stattdessen den Inhaltstyp zu erraten, indem sie proprietäre Heuristiken auf die vom Server zurückgegebenen Daten anwenden. Das Ziel dieses Vorgehens ist es, eventuelle Unstimmigkeiten zwischen Typ und Inhalt zu »korrigieren«. (Erinnern Sie sich
  • Secure Input for Web Applications

    Secure Input for Web Applications

    Secure Input for Web Applications Martin Szydlowski, Christopher Kruegel, Engin Kirda Secure Systems Lab Technical University Vienna Vienna, Austria {msz,chris,ek}@seclab.tuwien.ac.at Abstract technical sophistication and understanding of many web users have also attracted miscreants who aim to make easy The web is an indispensable part of our lives. Every day, financial profits. The attacks these people have been been millions of users purchase items, transfer money, retrieve launching range from simple social engineering attempts information and communicate over the web. Although the (e.g., using phishing sites) to more sophisticated attacks that web is convenient for many users because it provides any- involve the installation of Trojan horses on client machines time, anywhere access to information and services, at the (e.g., by exploiting vulnerabilities in browsers in so-called same time, it has also become a prime target for miscreants drive-by attacks [19]). who attack unsuspecting web users with the aim of making An important web security research problem is how to an easy profit. The last years have shown a significant rise effectively enable a user who is running a client on an un- in the number of web-based attacks, highlighting the impor- trusted platform (i.e., a platform that may be under the con- tance of techniques and tools for increasing the security of trol of an attacker) to securely communicate with a web ap- web applications. plication. More precisely, can we ensure the confidentiality An important web security research problem is how to and integrity of sensitive data that the user sends to the web enable a user on an untrusted platform (e.g., a computer application even if the user’s platform is compromised by an that has been compromised by malware) to securely trans- attacker? Clearly, this is an important, but difficult problem.
  • Developer's Guide

    Developer's Guide

    Developer's Guide Genesys Web Engagement 8.5.0 3/10/2020 Table of Contents Genesys Web Engagement Developer's Guide 3 High-Level Architecture 5 Monitoring 14 Visitor Identification 16 Events Structure 20 Notification 27 Engagement 28 Application Development 41 Creating an Application 45 Generating and Configuring the Instrumentation Script 47 Customizing an Application 59 Creating Business Information 61 Simple Engagement Model 62 Advanced Engagement Model 71 Publishing the CEP Rule Templates 78 Customizing the SCXML Strategies 96 Customizing the Engagement Strategy 98 Customizing the Chat Routing Strategy 135 Customizing the Browser Tier Widgets 143 Deploying an Application 152 Starting the Web Engagement Server 153 Deploying a Rules Package 154 Testing with ZAP Proxy 163 Sample Applications 176 Get Information About Your Application 177 Integrating Web Engagement and Co-browse with Chat 178 Media Integration 196 Using Pacing Information to Serve Reactive Requests 205 Dynamic Multi-language Localization Application Sample 213 Genesys Web Engagement Developer's Guide Genesys Web Engagement Developer's Guide Welcome to the Genesys Web Engagement 8.5 Developer's Guide. This document provides information about how you can customize GWE for your website. See the summary of chapters below. Architecture Developing a GWE Application Find information about Web Engagement Find procedures to develop an application. architecture and functions. Creating an Application High-Level Architecture Instrumentation Script Engagement Starting the Web Engagement